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15 FIELD OF THE INVENTION 

The present invention relates generally to the field of digital copyright 
fU protection. More specifically, the present invention deals with protection 

measures against illegal copying of digital audio and / or video. 
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20 BACKGROUND OF THE INVENTION 

Illegal copying and distribution of multimedia digital content (audio and 
video) is prevalent in recent years, especially using the Internet. This illegal 
copying and distribution is an infringement of copyright protection laws and 
cause financial damages to the rightful owners of the digital content. It is 

25 therefore of great interest to find methods that would mitigate illegal copying 
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and \ or distribution of multimedia files without offending rightful Usage. 
Methods for usage rights enforcement of digital media are known. Some 
methods are designed to monitor digital copying of the digital content. For 
example, the system described in US patent 6,115,533 authenticates an 
5 information signal prior to mass duplication of the signal by analyzing the 
signal to detect the presence or absence of a security signal therein, inserting a 
security signal into the information signal, and receding the modified signal 
only if no security signal was detected, US patent 6,167,136 describes a 
method for securely storing analog or digital data on a data storage medium: 

10 an analog information signal is combined with a noise signal. The composite 
noise and information signal is encrypted with a key, which is derived from 
the noise signal. The encrypted composite signal is compressed and then 
recorded on the data storage medium along with an encrypted value of the 
key. The storage medium data is read, decompressed, and decrypted using a 

15 decryption key derived from the stored encrypted key. The data is then 
converted to an analog signal and combined with a noise correction signal 
derived from said key to eliminate the noise signal added to the analog 
information signal before storing the signal on the data storage medium. 
Systems that run the MS-Windows™ operating system (OS) are equipped 

20 with the OS's Digital Rights Management (DRM) that supplies standard 
protection to digital content. The DRM consist of a set of filters, such as 
decryption, decoding and others that manipulate and channel the digital 
content to the screen card and/or sound card. Each filter exposes a set of 
virtual pins to connect to filters preceding and succeeding it. Each filter 

25 receives xhe digital content from its predecessor, manipulates it and transfers it 
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to The next filter on the graph. While this traditional component may be viable 
solution for some digital content, it provides insufficient security to protect 
premium digital content Since it's a layered component, at each layer a 
hacker can insert infringing software that connects between two filters (by the 
virtual pins) and redirect the digital content to the disk, A hacker may also 
substitute one of the OS supplied filters with his/hers own, hence hacking into 
the video path and again, redirect the digital content to the disk, 
Other solutions wrap the digital content within encryption and business rules 
envelope, The rules are stored in a local database protected by encryption. 
This solution supplies better digital content management capabilities but lacks 
on the security side, If the local database is breached, ihe hacker can change 
the policy of ihe digital content Furthermore the digital content encryption is 
easier to be breached in these types of solutions since it's not an integral part 
of the digital content player. 

While these methods make illegal copying difficult, it is commonly believed 
that none of the existing methods provides sufficient security determined and 
competent opponents. Furthermore, once a certain protection method is 
cracked, the cracking tools and methods may become available to a large 
community via the Internet, thereby render the digital content effectively 
unprotected, and therefore an updateable solution is highly desireable, 
It is foreseeable that as the availability of disc space and bandwidth for data 
communication will increase, illegal distribution of video and audio digital 
content will become prevalent unless effective counter-measures will be 
taken. 
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SUMMARY OF THE INVENTION 
The present invention seeks to provide a novel method and system for 
securing the digital path of a digital video and / or audio and /or other digital 
content, in a manner that would increase substantially the difficulty of illegal 
5 copying of the digital content. The system is based on securing the digital path 
of the digital content bit stream, from its source, until it is finally rendered for 
display. 

This security is basically achieved using one or more of the following 
methods and techniques: 

10 • Obscuring and \ or scrambling the digital content in the basic 

video \ audio path, and forming one or more side path that contain the 
information that is needed for the reconstruction of the digital content, thereby 
effectively resisting possible copying along the path. 
• Split the bitstream into at least thereby effectively resisting 

1 5 possible copying along the path. 

Said splitting and scrambling is best performed as early as possible and 
recombined at the latest stage, essentially protecting the digital content at all 
vulnerable points in the path, for example, in the same module that decrypts a 
previously encrypted digital content. 

20 There is £*lso provided in accordance with a preferred embodiment of the 
present invention a method that further enhance the security and additionally 
provides an effective trade-of between security level and case of operation, 
based on trustworthiness credentials, said trustworthiness credential are based 
on information that is gathered using methods such as: 

25 • Geo-location: authentication support may be included to 
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augment the system's ability to geo-locatc the consumer, this may be 
necessary for business, legal, or other requirements (e.g. time zone 
authentication which may stem from other business or legal requirements). 
The level of geo-location authentication may be used as a trustworthiness 
5 credential. 

• Renderer reports: in order to monitor client ability to use 

external interfaces to access the digital content (e.g. a VCR on a video out 
interface), the Tenderer can report the type of video card, and as an option, 
insert a custom interference to the signal, which would not hamper viewing 

1 0 but prevent recording or will altogether prevent using the video out interface. 
An information gathering method (e.g. via the DDC - 'Display Data Channel' 
monitor 'Plug and Play 5 communication protocol) could also be used to report 
the type of monitor used. The information gathered can be used in order to 
estimate trustworthiness credentials. 

15 • Authentication: the identity of the consumer can be 

authenticated. This can be achieved by compounding several methods, which 
could be a software/hardware lcey/challenge-response scheme, user and 
password-phrase, etc. The level of consumer identity authentication may be 
used as a trustworthiness credential. 

20 

There is also provided in accordance with a preferred embodiment of the 
present invention a system that, in order to further enhance the security of the 
system, incorporates one or more of the following methods and techniques; 
• Path authentication; the system assures that the path is composed 

25 only of components that should participate in it, and that ii was not subjected to 
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tempering before and \ or during the passage of the digital content throughout 
the path, 

• Path consolidation: in cases where the path is implemenied using 
connected software filters ("filter graph' 5 ) the secure path is composed of 
tamper resistant, consolidated filters, which use minimal external interfaces, 
thereby increasing the security of the system, The number of filters is 
maintained as low a$ possible. In cases where no other constraint exists, only 
one such filter is included (e,g. in cases where compatibility with existing 
components or with a standard interface is required, the system may be 
composed of three filters: namely, source filter, video renderer and audio 
output or other combinations according to the compatibility requirements), The 
interface of each filter is preferably encrypted and /or secured using other 
methods. 

• In-path encryption/decryption: for encrypted digital content, 
encryption and decryption is done within the secure video path; thereby 
eliminating the chance of intercepting decrypted digital content outside the 
secure video path. 

There is also provided in accordance with a preferred embodiment of the 
present invention methods that increase the overall security that are based on: 

• Automatic update support: The consumer side component should 
report, while communicating with the central server and/or the digital content 
servers, its update level, and either perform automatic updates as necessary 
(alternatively, the consumer could query the server for the current/necessary 
update version and initiate the update without reporting the current version) Or 
prompt the consumer to initiate them, either way, the update level may be used 
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as a trustworthiness credential when deciding to allow a certain transaction, as 
will be other security enhancing options. 

• Hardware security options: in addition to enhancing the security of 

software tamper resistance, dedicated hardware pan be optionally used (perhaps 
5 as an optional, security credentials enhancing feature), in order to support geo- 
location and authentication, 

According to a first aspect of the present invention there is provided a method 
for secure distribution of digital content to an untrusted environment, 

10 comprising the steps of: constructing a relatively trusted environment within 
the untrusted environment; constructing at least two digital inputs, the digital 
inputs are operable in order to reproduce the digital content; transferring digital 
media to the relatively trusted environment such that each of the inputs is 
transmitted via a different path, and combining the inputs in order to reproduce 

15 the digital content. 

In a preferred embodiment of the present invention, the digital content is a 
document 

In another preferred embodiment of the present invention, the digital content is 
multimedia digital content 
20 In another preferred embodiment of the present invention, the multimedia 
digital content is an audio digital content. 

In another preferred embodiment of the present invention, the multimedia 
digital content is a video digital content. 

In another preferred embodiment of the present invention, the multimedia 
25 digital content consists of at least two different streams. 
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In another preferred embodiment of the present invention, at least one of the 
streams consists of video digital content. 

In another preferred embodiment of the present invention, at least one of the 
streams consists of audio digital content 

In another preferred embodiment of the present invention, at least one of the 
streams consists of textual digital content. 

In another preferred embodiment of the present invention, the untrusted 
environment comprises a consumer's computer. 

In another preferred embodiment of the present invention, the relatively trusted 
environment comprises a software component. 

In another preferred embodiment of the present invention, the software 
component is updateable. 

In another preferred embodiment of the present invention, the software 
component comprises at least one tamper resistant software component. 
In another preferred embodiment of the present invention at least one of the 
software components is updateable. 

In another preferred embodiment of the present invention, the relatively trusted 
environment comprises a hardware component. 

In another preferred embodiment of the present invention, the hardware 
component comprises at least one tamper resistant hardware component, 
In another preferred embodiment of the present invention, the relatively trusted 
environment comprises a firmware component. 

In another preferred embodiment of the present invention, the firmware 
component is updateabie. 

In another preferred embodiment of the preseni invention, the firmware 

8 
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component comprises at least one tamper resistant firmware component. 

In another preferred embodiment of the present invention, at least one of the 

tamper resistant firmware components is updateable. 

In another preferred embodiment of the present invention, the relatively trusted 

environment comprises at least two components. 

In another preferred embodiment of the present invention, at least one of the 
components comprises a software component. 

In another preferred embodiment of the present invention, the software 
component is updateable. 

In another preferred embodiment of the present invention, the software 
component comprises at least one tamper resistant software component. 
In another preferred embodiment of the present invention, at least one of the 
software components is updateable. 

In another preferred embodiment of the present invention, at least one of the 
components comprises a hardware component. 

In another preferred embodiment of the present invention, the hardware 
component comprises at least one tamper resistant hardware component. 
In another preferred embodiment of the present invention, at least one of the 
components comprises a firmware component 

In another preferred embodiment of the present invention, the software 
firmware is updateable. 

In another preferred embodiment of the present invention, the firmware 
component comprises at least one tamper resistant firmware component. 
In another preferred embodiment of the present invention, at least one of the 
firmware components is updateable. 
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In another preferred embodiment of the present invention, at least one of the 
inputs comprise of a key, 

In another preferred embodiment of the present invention, the key is a 
cryptographic key. 

In another preferred embodiment of the present invention, the key is a 
scrambling key. 

In another preferred embodiment of the present invention, at least one of the 

inputs comprises of a scrambled copy of the digital content, and at least one 

other input comprise of the information needed for the reproduction. 

In another preferred embodiment of the present invention, a group of at least 

two of the inputs comprise of a function of a scrambled copy of the digital 

content, and at least one other input comprise of the information needed for 

reconstruction. 

In another preferred embodiment of the present invention, the reproduction 

results in an output that is identical to the digital content. 

In another preferred embodiment of the present invention, the reproduction 

results in an output that is sufficiently similar to the digital content, 

In another preferred embodiment of the present invention, a group of at least 

two of the inputs comprise of a function of the digital content, 

In another preferred embodiment of the present invention, the function 

comprise of splitting the digital content to the inputs, 

In another preferred embodiment of the present invention, the method comprise 

of using at least one updateable component. 

In another preferred embodiment of the present invention, the updateable 
component is associated with a revision level identifier. 

10 
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In another preferred embodiment of the present invention, the revision level 
identifier is a version number, 

In another preferred embodiment of the present invention, the revision level 
identifier is revision date. 

In another preferred embodiment of the present invention, at least one aspect of 
operation of the underlying system depends on the revision level 
In another preferred embodiment of the present invention, at least some 
functionality of the underlying system is limited if the revision level does not 
belong to a specific set of revision levels. 

In another preferred embodiment of the present invention, the limited 
functionality comprise of the ability to receive a set of digital content. 
In another preferred embodiment of the present invention, the limited 
functionality comprise of flic ability to receive a set of digital content in a 
specific format 

In another preferred embodiment of the present invention, the limited 
ftmctionality comprise of the ability to receive a set of digital content in a 
specific method. 

In another preferred embodiment of the present invention, the revision level is 
communicated to at least one other component of the underlying system by the 
updateable component, 

In another preferred embodiment of the present invention, the communication 
is initiated by the updateable component 

In another preferred embodiment of the present invention, the communication 
is part of another communication that is part of the normal workflow of the 
underlying system, 

11 
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In another preferred embodiment of the present invention, the communication 
is initiated by the other component of the underlying system. 
In another preferred embodiment of the present invention, a component within 
the untrusted environment queries another component in the underlying system 
for revisioned version of the updateable component. 

In another preferred embodiment of the present invention, transfer of the 
updateable component is performed automatically without intervention. 
In another preferred embodiment of the present invention, transfer of the 
updateable component is initiated by approval. 

In another preferred embodiment of the present invention, installation of the 
updateable component is performed automatically without intervention. 
In another preferred embodiment of the present invention, installation of the 
updateable component is initiated by approval. 

In another preferred embodiment of the present invention, the digital content is 
split into the separate inputs in a relatively trusted server, the server is operable 
to deliver the digital content to the relatively trusted environment in the form of 
the separate inputs 

In another preferred embodiment of the present invention, wherein the digital 
content arrive in the form of second separate inputs different from the first 
separate inputs to the relatively trusted server, the relatively trusted server is 
operable to rearrange the digital content to the form of the first separate inputs 
In another preferred embodiment of the present invention xhe digital content 
arrive in the form of the separate inputs to a server, the server is operable to 
deliver the digital content to the relatively trusted environment in the form of 
the separate inputs 

12 
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According to a second aspect of the present invention there is provided a 
method for secure distribution of digital content comprising the steps of: 
gathering input from at least one source; producing trustworthiness credentials 
about the digital content's intended recipient environment based on the input; 
evaluate the intended recipient environment's trustworthiness credentials; 
determine a distribution policy according to the trustworthiness credentials 
evaluation, and performing decisions about the distribution according to the 
policy. 

In a prefejred embodiment of the present invention, the digital content is a 
document. 

In another preferred embodiment of the present invention, the digital content is 
multimedia digital content. 

In another preferred embodiment of the present invention, the multimedia 
digital content is an audio digital content, 

In another preferred embodiment of the prcsem invention, the multimedia 
digital content ig a video digital content, 

In another preferred embodiment of the present invention, the multimedia 
digital content consists of at least two different streams. 
In another preferred embodiment of the present invention, the credentials 
comprise geo-location information. 

In another preferred embodiment of the present invention, the credentials 
comprise geo-location authentication level information. 
In another preferred embodiment of the present invention, the credentials 
comprise authentication level information. 

In another preferred embodiment of the present invention, the credentials 

13 
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comprise information gathered in the past. 

In another preferred embodiment of the present invention, the credentials 
further comprise information gathered from analysis of the information 
gathered in the past. 

In another preferred embodiment of the present invention, the information 
gathered in the past comprise of usage information. 
In another preferred embodiment of the present invention, the credentials 
comprise of information about the environment into which the digital content 
is to be distributed. 

In another preferred embodiment of the present invention, the information 
about the environment into which the digital content is to be distributed 
comprise of information about the software environment into which the digital 
content is to be distributed. 

In another preferred embodiment of the present invention, the information 
about the environment into which the digital content is to be distributed 
comprise of information about the hardware environment into which the digital 
content is to be distributed. 

In another preferred embodiment of the present invention, the information 
about the hardware environment into which the digital content is to be 
distributed comprises information about the video output hardware in that 
environment. 

In another preferred embodiment of the present invention, the information 
about the hardware environment into which the digital content is to be 
distributed comprises information about the sound output hardware in that 
environment. 
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In another preferred embodiment of the present invention, the information 
about the environment into which the digital content is to be distributed 
comprise of information about the firmware environment into which the digital 
content is to be distributed. 
5 In another preferred embodiment of the present invention, the credentials 
comprise of reports &om at least one relatively trusted component, 
hi another preferred embodiment of the present invention, at least one of the 
components resides in the consumers computer. 

In another preferred embodiment of the present invention, at least one of the 
10 components is connected to the consumer's computer, 
p In another preferred embodiment of the present invention, at least one of the 

m components is a software component 

D In another preferred embodiment of the present invention, at least one of the 

fy components is a firmware component. 

Q 1 5 In another preferred embodiment of the present invention, at least one of the 

components is a tamper resistant component. 

In another preferred embodiment of the present invention, at least one of the 
component? is a hardware component. 

In another preferred embodiment of the present invention, at least one of the 
20 software components is updateable. 

In another preferred embodiment of the present invention, at least one of the 
firmware components is updateable. 

In another preferred embodiment of the present invention, the method comprise 
of using at least one updateable component 
25 In another preferred embodiment of the present invention, the updateable 

15 
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component is associated with a revision level identifier. 

In another preferred embodiment of the present invention, the revision level 

identifier is a version number. 

In another preferred embodiment of the present invention, the revision level 

5 identifier is revision date. 

In another preferred embodiment of the present invention, at least one aspect of 
operation of the underlying system depends on the revision level 
In another preferred embodiment of the present invention, at least some 
functionality of the underlying system is limited if the revision level does not 

1 0 belong to a specific set of revision levels. 

In another preferred embodiment of the present invention, the limited 
functionality comprise of the ability to receive a set of digital content. 
In another preferred embodiment of the present invention, the limited 
functionality comprise of the ability to receive a set of digital content in a 

15 specific format 

In another preferred embodiment of the present invention, the limited 
functionality comprise of the ability to receive a set of digital content in a 
(Specific method, 

In another preferred embodiment of the present invention, the revision level is 
20 communicated to at least one other component of the underlying system by the 
updateable component. 

In another preferred embodiment of the present invention, the communication 
is initiated by the updateable component. 

In another preferred embodiment of the present invention, the communication 
25 is part of another communication that is pan of the normal workflow of the 

16 
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underlying system. 

In another preferred embodiment of the present invention, the communication 
i$ initiated by the other component of the underlying system. 
In another preferred embodiment of the present invention, a component within 
5 the untrusted environment queries another component in the underlying system 
for revisioned version of the updateable component. 

In another preferred embodiment of the present invention, transfer of the 

updateable component is performed automatically without intervention. 

In another preferred embodiment of the present invention, transfer of the 

1 0 updateable component is initiated by approval. 

In another preferred embodiment of the present invention, installation of the 
updateable component is performed automatically without intervention. 
In another preferred embodiment of the present invention, installation of the 
updateable component is initiated by approval. 

IS In another preferred embodiment of the present invention, the credentials 
comprise of the revision level. 

According to a third aspect of the present invention there is provided a method 
for secure distribution of digital content comprising the steps of: transferring 
digital media to an untrusted environment; using a relatively trusted 
20 environment within the untrusted environment operable to receive the digital 
content, the relatively trusted environment comprises of mechanisms to restrict 
tampering with the relatively trusted environment. 

In a preferred embodiment of the present invention, the relatively trusted 
environment comprises at least two components. 
25 In another preferred embodiment of the present invention, the components 

17 
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comprise at least one hardware component. 

In another preferred embodiment of the present invention, the components 
comprise at least one software component, 

In another preferred embodiment of the present invention, the components 
5 comprise at least one firmware component, 

In another preferred embodiment of the present invention, the relatively trusted 
environment is a hardware component. 

In another preferred embodiment of The present invention, the relatively trusted 
environment is a firmware component. 
1 0 In another preferred embodiment of the present invention, the relatively trusted 
environment is a software component 

In another preferred embodiment of the present invention the components 
comprise a watchdog component, the watchdog component is capable of 
monitoring other components of the relatively trusted environment. 
15 In another preferred embodiment of the present invention, the monitoring 
comprise of authentication. 

In another preferred embodiment of the present invention the authentication 
comprise authentication of a certificate. 

In another preferred embodiment of the present invention, the certificate is a 
20 cryptographic certificate. 

In another preferred embodiment of the present invention, the aijthentication 

comprise authentication of the code of the component, 

In another preferred embodiment of the present invention, the authentication of 

the code of the component comprise calculating a derivative of the code. 
25 In another preferred embodiment of xhe present invention, the authentication of 

18 
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the code of the component comprises analysis of the potential operation of the 
code. 

In another preferred embodiment of the present invention, the authentication 
comprise of a challenge-response method which comprise of a step in which 
5 the watchdog component queries the authenticated component issuing a input 
and farther comprises of a later step in which the authenticated component 
issue an output to the watchdog the output dependent on the input and the 
authentication is based on the correctness of the output depending on the input. 
In another preferred embodiment of the present invention, the monitoring 
1 0 comprises monitoring of the operation of the components. 
□ In another preferred embodiment of the present invention, the monitoring of 

m the operation of the components comprises monitoring of used interfaces. 

Q In another preferred embodiment of the present invention, the monitoring of 

rU used interfaces comprise monitoring of used operating system calls, 

O 15 In another preferred embodiment of the present invention, the monitoring of 

used interfaces comprises monitoring of file operations, 
In another preferred embodiment of the present invention, the monitoring of 
used interfaces comprises monitoring of memory operations. 
In another preferred embodiment of the present invention, the monitoring of 
2Q used interfaces comprises monitoring of, 

In another preferred embodiment of the present invention, the monitoring of 
used interfaces comprises monitoring of driver operations. 
In another preferred embodiment of the present invention, the monitoring of 
used interfaces comprise monitoring of input operations 
25 In another preferred embodiment of the present invention, the monitoring of 

19 
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used interfaces comprise monitoring of output operations 
In another preferred embodiment of the present invention, the monitoring of 
used interfaces comprises monitoring of interfaces used by interfaced entities. 
In another preferred embodiment of the present invention, the monitoring of 
S used interfaces comprise monitoring of at least on of the following: interfaces 
used by interfaced entities, output operations, input operations, driver 
operations, communication operations, used operating system calls, file 
operations, memory operations and used interfaces. 

In another preferred embodiment of the present invention, the relatively trusted 
10 environment comprises at least one updaieable component 

In another preferred embodiment of the present invention, the updateable 

component is associated with a revision level identifier. 

In another preferred embodiment of the present invention, the revision level 

identifier is a version number, 
15 In another preferred embodiment of the present invention, the revision level 

identifier is revision date. 

In another preferred embodiment of the present invention at least one aspect of 
operation of the underlying system depends on the revision level. 
In another preferred embodiment of the present invention, at least some 
20 functionality of the underlying system is limited if the revision level does not 
belong to a specific set of revision levels. 

In another preferred embodiment of the present invention, xhc limited 
functionality comprise of ihe ability to receive a set of digital content. 
In another preferred embodiment of ihe present invention, the limited 
25 functionality comprise of the ability to receive a set of digital content in a 

20 
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specific format, 

In another preferred embodiment of the present invention, the limited 
functionality comprise of the ability to receive a set of digital content in a 
specific method. 

5 In another preferred embodiment of the present invention, the revision level is 
communicated to at least one other component of the underlying system by the 
updateable component 

In another preferred embodiment of the present invention, the communication 
is initiated by the updateable component 
10 In another preferred embodiment of the present invention, the communication 
is part of another communication that is part of the normal workflow of the 
underlying system, 

In another preferred embodiment of the present invention, the communication 
is initiated by the other component of the underlying system. 
15 In another preferred embodiment of the present invention, a component within 
the untrusted environment queries another component in the underlying system 
for revisioned version of the updateable component. 

In another preferred embodiment of the present invention transfer of the 
updateable component is performed automatically without intervention. 
20 In another preferred embodiment of the present invention, transfer of the 
updateable component initiated by approval. 

In another preferred embodiment of the present invention, installation of the 
updateable component is performed automatically without intervention. 
In another preferred embodiment of the present invention, installation of the 
25 updateable component is initiated by approval. 

21 
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In another preferred embodiment of the present invention, at least one of the 
components comprise of functionality to monitor at least one of its interfaces. 
In another preferred embodiment of the present invention, the monitoring 
comprise of authentication. 
5 In another preferred embodiment of the present invention, The authentication 
comprise authentication of a certificate, 

In another preferred embodiment of the present invention, the certificate is a 
cryptographic certificate. 

In another preferred embodiment of the present invention, the authentication 
10 comprise of a challenge-response method which comprise of a step in which 

the component queries the interfaced entity issuing a input and further 

comprises of a later step in which the interfaced entity issue an output to the 

component the output dependent on the input and the authentication is based 

on the correctness of the output depending on the input. 
15 In another preferred embodiment of the present invention, the method comprise 

of ftinctionality to monitor at least one of the interfaces used by the underlying 

system. 

In another preferred embodiment of the present invention, the monitoring 
comprise of authentication. 
20 In another preferred embodiment of the present invention, the authentication 
comprise authentication of a certificate. 

In another preferred embodiment of the present invention, the certificate is a 
cryptographic certificate. 

In another preferred embodiment of the present invention, the authentication 
25 comprise of a challenge-response method which comprise of a step in which 

22 
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the interfaced entity is queried by issuing a input and further comprises of a 
later step in which the interfaced entity issue back an output the output 
dependent on the input and the authentication is based on the correctness of the 
output depending on the input 

In another preferred embodiment of the present invention, the digital content 
arrives into the relatively trusted environment in a cryptographically encrypted 
format 

In another preferred embodiment of the present invention, information gathered 
from monitoring by at least one component is transferred to the watchdog 
component by the component. 

In another preferred embodiment of the present invention, information gathered 
by the watchdog component is transferred as credentials information to a 
credential? based decisionmaking mechanism. 

In another preferred embodiment of the present invention, information gathered 
by the watchdog component is transferred as credentials information to a 
credentials based decision-making mechanism. 

In another preferred embodiment of the present invention, the relatively trusted 
environment comprises mechanism to restrict coping of at least one of the 
outputs the relatively trusted environment generates. 

In another preferred embodiment of the present invention, the output is part of 
an internal interface, 

In another preferred embodiment of the present invention, the output is an 
external output. 

In another preferred embodiment of the present invention,, the external output 
is sound output. 
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In another preferred embodiment of the present invention, the external output 
is video output. 

In another preferred embodiment of the present invention, the external output 
is analog outpur. 

5 In another preferred embodiment of the present invention, the analog output is 
analog sound output. 

In another preferred embodiment of the present invention, the analog output is 
analog video output. 

In another preferred embodiment of the present invention, the mechanism to 
10 restrict coping comprise of altering the output in order to change a quality of 
the copy that is produced by the copying. 

In another preferred embodiment of the present invention, the quality of the 
copy is the observable quality of the copy, 

In another preferred embodiment of the present invention the change of the 
1 5 quality is to adversely effect the quality. 

In pother preferred embodiment of the present invention, the copying is digital 
copying, 

In another preferred embodiment of the present invention, the copying is non- 
digital copying, 

20 In another preferred embodiment of the present invention, the copying is digital 
copying that involves a non-digital transition. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The present invention will be understood and appreciated more fully from 
the following detailed description taken in conjunction with the appended 
drawings in which: 

5 Fig 1 is a simplified conceptual flow illustration of a method for copy 
protection for digital content constructed and operative in accordance with a 
preferred embodiment of the present invention; 

Fig. 2 i$ a simplified illustration of a system for copy protection, 
substantially similar to the system described in figure 1, operative in 

1 0 accordance with a preferred embodiment of the present invention; 

Fig. 3 is a simplified description of macro-blocks scrambling, operative in 
accordance with a preferred embodiment of the present invention; 
Fig. 4 is an illustration of a system for trustworthiness credential 
assignment, based on geo-location, authentication level and reports from 

1 5 software client, operative in accordance with a preferred embodiment of the 
present invention; 

Fig. 5 is an illustration of a system, substantially similar to the system 
described in figure 2, operative in accordance with a preferred embodiment 
of the present invention, that further enhance the security of the path; 
20 Fig. 6 is an illustration of a flowchart of a method, operative in accordance 
with a preferred embodiment of the present invention, that is used in order 
to locate infringing software components, such as "Trojan horses", in the 
secure yideo path; 

Fig. 7 is an illustration of security augmentation using hardware 
25 components, operative in accordance with a preferred embodiment of the 
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present invention; 

Fig 8 is an illustration of a method for security improvements along the 
system lifecycle using automatic software updates, operative in accordance 
with a preferred embodiment of the present invention; 
5 Fig 9 is an illustration of another method for security improvements along 
the system lifecycle using automatic software updates, substantially similar 
to the method described in figure 8, operative in accordance with a preferred 
embodiment of the present invention; and 

Fig 10 is an illustration of a system, said system include a client that is 
10 substantially similar to the system illustrated in figure 2, where the source 
digital content and the digital content server reside in a secured zone, 
operative in accordance with a preferred embodiment of the present 
invention. 
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DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 
The present invention seeks to provide a system and a method foi digital 
content protection, in order to mitigate the hazards of copyright 
infringement For a better understanding of the invention and to show how 
5 the same may be carried into effect, reference will now be made, purely by 
way of example, to the accompanying drawings. 

With specific reference now to the drawings in deiail, it is stressed that the 
particulars shown are by way of example and for purposes of illustrative 
1 discussion of the preferred embodiments of the present invention only, and 

10 are presented in the cause of providing what is believed to be the most 
** useful and readily understood description of the principles and conceptual 

*2 aspects of the invention, In this regard^ no attempt is made to show 

j-i structural details of the invention in more detail than is necessary fbt a 

f\ s fundamental understanding of the invention, the description taken with the 

q 15 drawings making apparent to those skilled in the art how the several forms 

hj of the invention may be embodied in practice. In the accompanying 

fjj 

o drawings: 

Fig 1 is a simplified conceptual flow illustration of a system for copy 
protection for digital content, constructed and operative in accordance with a 
20 preferred embodiment of the present invention. In the system of Fig. 1 
parts of the basic stream 100 are scrambled, using a scrambling module 110, 
thereby substantially degrading the quality of the final digital content. The 
scrambling is preferably induced by a secret key 120. The information that is 
needed in order to reproduce the original digital content is included in a 
25 stream 130 that undergoes a different path. The digital content in main path 
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140 may be subjected to further processing 150. One component of the 
system, dubbed the de-scrambler 160, and is preferably a tamper-resistant 
component, receives information from both paths and performs the 
computations that are required in order to reproduce the desired digital 
5 content 170. 

Reference is now made to figure 2, which is a simplified illustration of a 
system, substantially similar to the system described in figure 1, operative in 
accordance with a preferred embodiment of the present invention. In the 
system of figure 2 the digital content in the basic path 200, is encrypted, 
10 using any standard encryption technique, in order to enhance the security 
level. The basic path enters a module 204, dubbed "source filter". The 
deciyption module 202 decrypts the digital content, The decrypted digital 
content is thereafter being decoded by the decoding sub-module 2102 (e.g., 
if die digital content is a video digital content, compressed/encoded using 
15 standard MPEG encoding, the decoder perform decoding/uncompressing, 
which results in a bitstream that represent sequence of frames and an audio 
stream). The scrambling sub-module 2104 thereafter scrambled the digital 
content (e.g., by changing the order of several macro-blocks in some of the 
frames), The resulted bitstream 240 represents a crippled digital content that 
20 can be properly rendered only by using side information (e.g., in cases 
w h ere the digital content is a video digital content, and the scrambling 
consists of changing the order of some macro-blocks, the side information 
should reveal the correct order of the macro-blocks.) The tenderer and 
descrambler module 260 reproduces the desired digital content; if the digital 
25 content is a video digiial content, then the renderer produces ihe to-bc 
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displayed frames and uses the information in ihe side-path 230 in order to 
reconstruct the correct order of the macro-blocks. The resulted sequence of 
frames 270 is ready to be displayed by a standard display device. 
Note that, while scrambling is essentially a form of encryption, the 
5 scrambling retains much of the aspects of the decrypted digital content, 
thereby allowing most of the processing, that need to be done on decrypted 
digital content, to be performed in a more secure level. 
Reference is now made to figure 3, which is a simplified description of 
macro-blocks scrambling, operative in accordance with a preferred 
10 embodiment of the present invention. The digital content 300 is divided to 

O 12 macroblocks, which are scrambled by the scrambling module 3104, 

preferably using the side information 330. The scrambled digital content 340 
can then be transferred in a more secure manner to the de-scrambling 
module 360, which reconstruct the correct order of the macro-blocks 370, 

} J 15 The macroblocks can be the same macroblocks that are used for motion 

^ estimation in the standard MPEG format. 

Jr; Turning now to Fig. 4, there is illustrated a system for trustworthiness 

credential assignment, based on geo-location s authentication level and 
reports from software client, operative in accordance with a preferred 

20 embodiment of the present invention. Resulting trustworthiness credentials 
may be used in order to determine what protective measures should be used, 
in order to achieve a satisfactory trade-off between ease-of-use and 
protection level and whether to allow the transaction (in the high risk cases). 
The geo-location subsystem 410 obtains information regarding the location 

25 of the user, Methods for obtaining geo-location data are described, e,g,, in 
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US patent application 09/922,846, The geo-location data evaluation sub- 
system 414 uses the gathered data in order to assign credentials to the user. 
E.g„ Coarse-grained geo-filtering can be used in order to determine whether 
the client comes from a state or a region that are noxorious for not enforcing 
5 copyright protection laws. The authentication sub-system 420 is used to 
authenticate the user based on one or more of the known authentication 
methods (e.g., password-based or biomeuic-based authentication). The 
authentication data evaluation subsystem 424 receives data from the 
authentication subsystem 420, and preferably also from the geo-location 
1 0 subsystem 410: the geographical location of the user can be used in order to 
elevate the authenticity level, E.g., by checking the cotrelation between the 
stated address of the user and the geo-location data, Finally, another level of 
trustworthiness credentials can be established by knowing the software and 
hardware components that are used by the users in order to handle the digital 
15 content (e.g., digital content rendering, playing, displaying or recording), 
fy The components detection and reporting subsystem 430 detects components 

Q that are used for digital content handling and attempts to tamper with these 

fli . 

components, If the said subsystem detects components that can be used in 
order to record or copy the data in an unauthorized manner, or to assist such 

20 an operation, or if attempts to tamper with these components are detected, it 
reports about them to the component data evaluation subsystem 434, which 
may use this data in order to reduce the trustworthiness level of the user, and 
preferably perform additional operations as dictated by the situation. The 
trustworthiness credential assignment subsystem 440 uses the data from the 

25 geo-location data evaluation subsystem 414, the authentication data 
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evaluation subsystem 424, and the components data evaluation subsystem 
434 in order to assign trustworthiness credentials to the user. The policy 
determination subsystem 450 obtain the said trustworthiness credentials, and 
uses them in order to establish a more permissive policy if the user is 
5 trustworthy, and a less permissive policy if the user is suspected, 

In other embodiments of the present invention the policy differentiates 
between different levels of; delivered quality, cost/ease of use for the 
consumer and/or the usage of certain protection mechanism in the digital 
content delivery and / or displaying process. The policy determination 
10 subsystem 450 may use rules that are stored in the data storage 460 and may 
Q store reports and other relevant information in the database 460, preferably 

|ji in an encrypted format. The output of the policy determination subsystem 

0 450 is used as an input to an authorisation mechanism 470, 

ru 

f IS Turning now to Fig. 5 a there is illustrated a system, substantially similar to 

J* the system described in figure 2, operative in accordance with a preferred 

embodiment of the present invention. The system further enhance the 

F'l 

■S as? 

?! 2. 

1 u security of the path by incorporating methods for path authentication, path 

consolidation and, preferably, in-path decryption. In order to maintain path 
20 authentication, the system uses a software component 550, commonly 
referred as '"watch-dog", which assures that the path is composed only of 
components that should participate in it, and that it was not subjected to 
tampering before and \ or during the passage of the digital content through 
the path, The path consolidation mechanism is preferably used in cases 
25 where the path is implemented using connected software components, 
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commonly dubbed "software filters" (in a "filter graph"). In this case, the 
secure path is composed of tamper resistant, consolidated filters, which use 
minimal external interfaces, thereby increasing the security of the system. In 
a preferred embodiment of the present invention, the number of filters is 
5 maintained as low as possible. In cases where no other constraint exists, 
only one such filter is included. In cases where compatibility with existing 
components or with a standard are required, the system is preferably 
composed of three filters; namely, source filter, video tenderer, and audio 
output The interface of each filter is preferably encrypted and \or secured 

10 using other methods. For encrypted digital content, decryption is done 
within the secure video path; thereby eliminating the chance of intercepting 
decrypted digital content outside the secure video path. 
Note that interface in this context could be performed in many ways, e.g., 
messaging protocols, program context, shared memory or stack, Also note 

15 that internal interfaces (such as the memory used for making calculations) 
may be externally accessed in many computer environments, Hence, a filter 
may have more interfaces than its designers intended. 

Turning now to Pig, 6, there is illustrated a flowchart of a method, operative 
20 in accordance with a preferred embodiment of the present invention, that is 
used in order to locate infringing software components, such as "Trojan 
horses'*, in the secure video path. The flowchart depicts an algoriihm that 
recursively looks for suspicious code in called components (i.e. code which 
may perform suspicious operations), effectively checking if such code exists 
25 within the components that may be called by the checked component. 
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The first step 605 selects the operating component to be checked, usually the 
first component in the path or filter graph. It is assigned a label - step 610 - 
"to be checked" or "unchecked", designating it as an unchecked component 
(in this case the root component). Next - step 615 - a successful termination 
condition is checked - 'were all components designated for checking were 
checked and deemed OK? 3 . If the condition was satisfied - step 620 - the 
path is deemed safe for digital content delivery and/or play. If the condition 
was not satisfied, the process continues - step 625 - and a component is 
selected for checking (the identity of the component to be selected and the 
order of selection are not critical for the algorithm and dictates the sort of 
traversing of the underling call tree - DFS, BFS, etc. In a preferred 
embodiment of the present invention the mode of operation is DFS (Depth 
First Search) which dictates that the component to be selected should 
preferably be the last label component). Next - step 630 - the component is 
checked for suspicious code. If such code exists in the component, a 
termination condition is met - step 635 - and the path is deemed unsafe. If 
such code does not exist - step 640 - the selected component is labeled 
"checked", Next - step 645 - the group of components called by the 
selected component is selected. The components in the selected group which 
are not labeled as "checked" arc labeled "to be checked" - step 650. At this 
stage the test in step 615 is recursively repeated and the process recursively 
continues. 

Note that this algorithm can be easily expanded by changing steps 605,610, 
to start with a group of components to be checked (for example if several 
sources exist for a certain digital content, or if the software performing the 
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related operations contains several independent components). 
Methods for identifying suspicious components might be based, e.g., on 
tracing current component's ingoing and/or outgoing function calls, 
monitoring the system registry and utilizing the operating system services. 
5 In another embodiment of the present invention, the software components 
are searched using one of the known node-graph searching method, where 
each software component is regarded as a node in the node^graph and each 
software component's import (ingoing) and export (outgoing) routines are 
treated as directed branch. Infringement suspects are identified by 

10 monitoring various operations such as file operations, memory operations, 
communication operations, I/O operations, driver operations and others or 
by reading the software components' files (even while those components are 
running) and examining their digest or digital signature for authenticity and 
compliance with the security measurements, 

15 In case of suspected infringement, the digital content 
streaming/downloading/ playing/delivery may be stopped, and/or the 
suspected infringement information may be sent to a server that shall decide 
if to stop the digital content streaming/downloading/playin^delivery. 

20 Turning now to Pig. 7, there is an illustration of security augmentation using 
hardware components 705, said hardware components can be a hardware 
implementation of either one of the components or sub-systems described 
above, or a combination of two or more of the aforementioned components 
and sub-systems, 

25 
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Turning now to Fig 8, there is an illustration of a method for security 
improvements along the system lifecycle using automatic software updates, 
operative in accordance with a preferred embodiment of the present 
invention, In step 801, the update server 805 inform client 815 about the 
5 needed update. In step 802 the client 815 sends a request for an update and 
in step 803 the update server 805 sends client 815 the required update. 

Turning now to Fig 9, there is an illustration of another method for security 
improvements along the system lifecycle using automatic software updates, 

10 substantially similar to the method described in figure 8, operative in 
accordance with a preferred embodiment of the present invention. In step 
901 the update checking component 9152 in the client 915 ask update server 
905 about needed updates on a regular base. In step 902 the update server 
905 answer client 915 and in step 903 the update server 905 sends the 

1 5 required update to the client 9 1 5. 

Turning now to Fig 10, there is an illustration of a system, operative in 
accordance with a preferred embodiment of the present invention, said 
system include a client that is substantially similar to the system illustrated 

20 in figure 2, while the source digital content 1005 and the digital content 
server 1015 reside in a secured zone 1025. The source digital content is 
thereafter transferring via a secured path 1 000 a using a digital content server 
(e.g., a stream server) 1015. This way the entire path of the digital content, 
from the source to the player/display, is protected by encryption. In a 

25 preferred embodiment of the present invention, the digital content server 
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pack the digital content, or parts of the digital content, in a 'Vehicle format", 
such as ASF a in order to increase the level of compatibility with existing 
software clients. 

5 It is appreciated that one or more steps of any of the methods described herein 
may be implemented in a different order than that shown, while not departing 
from the spirit and scope of the invention, 

While the present invention may or may not have been described 
with reference to specific hardware or software, the present invention has been 

10 described in a manner sufficient to enable persons having ordinary skill in the 
art to readily adapt commercially available hardware and software as may be 
needed to reduce any of the embodiments of the present invention to practice 
without undue experimentation and using conventional techniques. 

While the present invention has been described with reference to 

1 5 one or more specific embodiments, the description is intended to be illustrative 
of the invention as a whole and is not to be construed as limiting the invention 
to the embodiments shown. It is appreciated that various modifications may 
occur to those skilled in the art that, while not specifically shown herein, are 
nevertheless within the true spirit and scope of the invention. 

20 
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